关联漏洞
标题:Sudo 安全漏洞 (CVE-2025-32463)描述:Sudo是一款使用于类Unix系统的,允许用户通过安全的方式使用特殊的权限执行命令的程序。 Sudo 1.9.17p1之前版本存在安全漏洞,该漏洞源于使用用户控制目录中的/etc/nsswitch.conf可能导致获取root访问权限。
描述
Enviroment and Nuclei template to test CVE-2025-32463
介绍
# CVE-2025-32463 - Setup and Execution Guide
This is the first time I’ve ported a malicious exploit into a Nuclei template for a non-intrusive vulnerability scan that still demonstrates the underlying issue.
I documented the process in more detail expressly as a learning exercise.
My main challenges were:
- How to modify the original exploit code into something safe that can effectively test privilege escalation without obtaining a root shell as the original exploit did.
- I ran into some issues with Nuclei template syntax when using the code engine. I’m not accustomed to creating templates this way, so I was caught a few times by the need to sign the template and include the `-itags local` parameter, since the local tag is ignored by default in [.nuclei-ignore](https://docs.projectdiscovery.io/opensource/nuclei/running#executing-nuclei-templates) settings.
- I was unsure whether compiling C code inside a template is an accepted approach (there are very few examples like that in the official repository).
It may seem weird that I chose the Windows environment for this activity. The fact is that Windows is my default operating system for reasons I won’t go into here.
## Containerized Environment Setup
```bash
docker-compose up --build -d
```
## Signing the Nuclei Template (Required for Code Engine)
This template uses `code` engine which requires signing for security reasons. The template is already signed in this repository.
### Signing keys setup (already configured)
The `docker-compose.yaml` is configured to mount your Windows Nuclei signing keys from `%APPDATA%\nuclei\keys` into the containers. This allows the signed template to be verified.
### If you need to re-sign the template on your host:
_On Windows host (requires Nuclei installed)._
```bash
nuclei -t cve-2025-32463.yaml -sign
```
This will sign the template and add a digest field.
**Note:** The first time you run this command, Nuclei will create signing keys in `%APPDATA%\nuclei\keys` and prompt for:
1. User/Organization Name
2. Passphrase for the private key
## Execute Nuclei scan inside the target container
### Vulnerable Sudo Version
**Linux/macOS/Git Bash:**
```bash
docker exec -u testuser vulnerable-sudo-target sh -c 'nuclei -itags local -t /tmp/template.yaml -target localhost -code'
```
**Windows PowerShell/CMD:**
```powershell
docker exec -u testuser vulnerable-sudo-target sh -c "nuclei -itags local -t /tmp/template.yaml -target localhost -code"
```
**Alternative (works on all platforms):**
```bash
docker exec -u testuser vulnerable-sudo-target nuclei -itags local -t /tmp/template.yaml -target localhost -code
```
**Notes:**
- The `-code` flag is required to enable code protocol-based templates
- Use `sh -c '...'` to avoid Windows path conversion issues with MSYS2/Git Bash
- The template should show: `[INF] Executing 1 signed templates from <your-username>`
### Patched Sudo Version
**Windows PowerShell/CMD:**
```powershell
docker exec -u testuser patched-sudo-target sh -c "nuclei -itags local -t /tmp/template.yaml -target localhost -code"
```
**Alternative (works on all platforms):**
```bash
docker exec -u testuser patched-sudo-target nuclei -itags local -t /tmp/template.yaml -target localhost -code
```
**Notes:**
- The `-code` flag is required to enable code protocol-based templates
- Windows Git Bash: Use double quotes `"..."` or the alternative command without `sh -c`
- The template should show: `[INF] Executing 1 signed templates from <your-username>`
## Alternative: Manual Exploit Test
If you want to verify the vulnerability without signing the Nuclei template, you can run the exploit script directly:
Copy and run the exploit script.
```bash
docker cp exploit.sh vulnerable-sudo-target:/tmp/exploit.sh
docker exec -u testuser vulnerable-sudo-target bash /tmp/exploit.sh
```
Expected output: ```woot!``` followed by a root shell (in interactive mode).
## Expected Output
### Nuclei Scan Output - Vulnerable Container
```bash
[CVE-2025-32463] [code] [critical] localhost ["VULNERABLE UID=1000 EUID=0"]
[INF] Executing 1 signed templates from <your-username>
[INF] Scan completed in 140.454595ms. 1 matches found.
```
**Detection confirmed:** `UID=1000 EUID=0` proves that code from testuser (1000) executed with root privileges (0).
### Nuclei Scan Output - Patched Container
```bash
[INF] Executing 1 signed templates from <your-username>
[INF] Scan completed in 143.319373ms. No results found.
```
**No vulnerability detected** - The patched sudo version prevents the library loading.
## See Also
For detailed technical explanation of the vulnerability, attack vectors, and detection methodology, refer to the **[Technical Notes](TECHNICAL-NOTES.md)** document.
文件快照
[4.0K] /data/pocs/625d94a71844494560dbdf63b590753e59604616
├── [3.0K] cve-2025-32463.yaml
├── [1.2K] docker-compose.yaml
├── [1.3K] exploit.sh
├── [ 0] output.txt
├── [4.0K] patched
│ └── [1.2K] Dockerfile
├── [4.6K] README.md
├── [1.1K] sign-template.ps1
├── [8.0K] TECHNICAL-NOTES.md
└── [4.0K] vulnerable
└── [1.7K] Dockerfile
3 directories, 9 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。